Data Transfers: US Executive Order and EU Commission draft adequacy decision
- Articles and memoranda
- Posted 22.12.2022
For an outlook of the latest development as at July 2023 in relation to transfers to the US, please read our article about the New EU adequacy decision allowing personal data transfers to US self-certified entities!
Introduction
Since the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union ("CJEU"), the long-term lawfulness of cross-border transfers of personal data from the European Union to the United States remain uncertain. Private and public players must therefore rely on alternative tools provided by Chapter V of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data ("GDPR"). Recently, the President of the United States has signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ("Executive Order") which will provide enhanced protection for the free flow of personal data between the European Union and the United States for a “durable and reliable legal basis for transatlantic data flows”.1
Enhanced protection provided by the Executive Order
The Executive Order builds upon the preliminary agreement in principle2 which the European Commission and the United States have reached on a new EU-U.S. Data Privacy Framework. Essentially, the Executive Order addresses the concerns raised by the CJEU when invalidating the EU-U.S Privacy Shield in 2020. More precisely, it (i) establishes binding enhanced protections for European data subjects and (ii) reinforces their safeguards when personal data is collected through the activities of the members of the Intelligence Community.3 These enhanced protections imply:
- that personal data collected through said activities may only be collected for a defined national security objective and only when necessary to advance a validated and proportionate priority
- the establishment of an independent and impartial two-step redress mechanism which includes a Civil Liberties Protection Officer as well as a Data Protection Review Court to investigate and to resolve complaints and access requests by European data subjects.
What are the next steps?
On 13 December 2022, in light of the Executive Order, the Commission issued a first draft adequacy decision (available here) on this potential upcoming EU-US Data Privacy Framework. This is a new step forward in the European Union and United States efforts to address the concerns raised by the CJEU in the aforementioned Schrems II decision issued July 2020. In a nutshell, the draft adequacy decision provides that the EU-US Data Privacy Framework based on the abovementioned Executive Order ensures a comparable level of safeguards for data subjects and their personal data than that in the EU.
The draft adequacy decision has now been transmitted to the European Data Protection Board who will perform its own assessment and publish its opinion. Members States will also be involved in the review process.
What should companies (and other data exporters) do in the meantime?
Until a final adequacy decision is adopted, all transfers of personal data to the United States must be performed via the alternative tools provided by Chapter V of the GDPR. Currently, standard contractual clauses ("SCCs") remain the most common used transfer. In June 2021, the Commission adopted its most recent SCCs which will provide more flexibility and which should cover various transfer scenarios in one single document. The deadline to transition existing data transfer arrangements based on the “old” SCCs to the 2021 SCCs is set for 27 December 2022. Companies and other players must therefore replace existing data transfer agreements with the most recent SCCs before the end of this year.
Towards Schrems III?
Once adopted, a final adequacy decision can, however, still be challenged before the CJUE. Several privacy rights agencies have already expressed their scepticism as to whether the Executive Order will be sufficiently protective or address in a satisfactory manner the concerns raised by the CJUE in their Schrems II ruling. It remains uncertain therefore whether the Executive Order is setting the basis for a durable framework for international data transfers.
Related publications
CJEU invalidates the Privacy Shield: implications for EU-US personal data transfers
- Publication
- Articles and memoranda
- Posted 24.07.2020
EDPB's FAQ about the invalidation of the Privacy Shield
- Publication
- Articles and memoranda
- Posted 01.09.2020
EDPB Recommendations 01/2020 and 02/2020 on transfers of personal data after Schrems II
- Publication
- Articles and memoranda
- Posted 20.11.2020
Fiche pratique : Arrêt Schrems II de la CJUE : que faire ?
- Publication
- Articles and memoranda
- Posted 15.12.2020
GDPR - Transfers of personal data in the UCI world after Schrems II
- Publication
- Articles and memoranda
- Posted 31.03.2021
GDPR compliance - New standard contractual clauses
- Publication
- Articles and memoranda
- Posted 09.06.2021
GDPR: EU Commission’s Q&A about the New Standard Contractual Clauses for Transfers
- Publication
- Articles and memoranda
- Posted 12.07.2022